Combining Wildcard and Regular Certificates


I'm running CentOS 8, hosting mail and web on one server, and have successfully installed a regular certificate covering my domain and

I'd like to cover, AND

I'd assume I need to combine a wildcard certificate along with the installed regular certificate.

Is this possible? I did some google searching and to my surprise I didn't see much regarding this, even though it seems like an obvious thing many people would want to do.

I have my mail server web mail app (Squirrelmail) setup at my via apache virtual host, and my hosting my website.


Why the wildcard? Why not just get a certificate with all three hostnames in it?

And to answer your actual question:

Yes, it's possible to mix all the kinds of certificate you'd like in Apache.. Doesn't mean you need to though, see my question above.


When I setup the certificate, it offered me two options, a regular certificate covering and, and a wildcard certificate but it specifically said it covered * but NOT

It's technically perfectly possible to include all the hostnames you've mentioned in this thread, including the wildcard, into a single certificate.

The question is: what piece of software offered you those options when "setting up" the certificate?


see, this is what I read on the certbot site:

" wildcard certificate

a wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. for example, a certificate for * will be valid for,,, or, but not for"

That's an explanation about how the wildcard hostname works. However, it does not directly say it's impossible to include into the certificate too. That might be an oversight of the documentation though. To be honest, it should also explain the fix: just add too :stuck_out_tongue: I'll see if I can open a Github issue for it.

1 Like

Well it's all very confusing, I can see these types of issues hindering the stated goal of 'encrypting the web 100%!"

So I guess the question is how exactly can I expand my existing certificate to include, or how do I add another certificate along with my existing one?

I looked over the ssl.conf in the apache conf.d directory, but I didn't see letsencrypt's certificates referenced there. Certbot works in a way I haven't figured out yet..

Depends on how you got the certificate in the first place. Could you share the exact command you've used to get the certificate?

Oh, they are referenced in there somewhere :wink: If you have used certbot to install the certificates, it would have copied the VirtualHost section into its own file suffixed by -le-ssl.conf.

1 Like

I just followed the instructions for the default certificate installation:

  1. sudo dnf install certbot python3-certbot-apache
  2. sudo certbot --apache

Pretty sure that was it!

Just saw your reference to -le-ssl.conf. checking now.

OK, so that would mean you've used the apache plugin for authentication as wel as for installing. We can work with that :slight_smile:

You should be able to run certbot --apache again. It should give you the same question again: which hostnames would you like to certify.. Or something like that. It should be possible to select, and Now.. If your certbot is new enough it should ask you if you'd like to expand the current certificate. That means you'll get a single certificate with all the three the hostnames in it.
It's also possible however, it generates a new certificate along side of your previous one. This isn't bad, strictly speaking, but it is very confusing. But nothing we can fix later :slight_smile:

So I'd suggest to run the certbot command just again and see what it asks :slight_smile:

By the way, opened an issue for the website:

1 Like

Oh I see. Makes more sense now, I missed seeing the le-conf.ssl file

I'd hope I could just install another certificate (cert only download) with certbot and manually just add the second certificate below the first one in that file. I'm sure it wouldn't be that easy though, of course (nothing is).

Just saw your reply. reading now. Thanks for the help!

1 Like

Well, that's possible too, of course. And isn't that hard. But I'm wondering why you might do that, when certbot should be able to do it for you?

You can generate a separate certificate for your mail subdomain if you'd like. Just select only that hostname when certbot asks you for the hostnames you want a certificate for.


oh my goodness it's asking:

Which names would you like to activate HTTPS for?




Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):

How clever!!

1 Like

It also did this the first time you ran certbot, right? :stuck_out_tongue:

1 Like


Do you want to expand and replace this existing certificate with the new


(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

Deploying Certificate to VirtualHost

Your existing certificate has been successfully renewed, and the new certificate
has been installed.


  • Congratulations! Your certificate and chain have been saved at:

We'll I'll be. Amazing. I was prepared for a lot of nonsense.

except I restarted apache and it's not securing my site. hmm

It seems not to have installed the redirect from HTTP to HTTPS, because if you manually type https://, it works nicely.

1 Like

Yup that was the reason I was refreshing the site that was preloaded with http://

It works!!!!

Thank you so much!!

1 Like

well ok the non-redirect isn't optimal.

Is that normal?

I don't think so.. Might be something what is working perfectly in the current version of certbot. You're using your OS distro package manager.. They often lag behind tremendously.

You can add the redirect manually (just look what certbot put in the configuration file for the HTTP virtualhost of your main site and copy/paste it, while not forgetting to modify the hostname it looks for), or you might let certbot do it.. Not sure how though.. Perhaps by running certbot install --redirect --apache and select the three hostnames again. It should ask you something like "You already have a certificate, would you like to re-issue it? (no, you don't want to..) or to reinstall it? (yes, you want that)". But not sure what happens to be honest :stuck_out_tongue: I've never worked with certbot install before.

1 Like

I'll try that. I also did some googling and there is information about how to force the redirect so I should be OK from here I think.

Thanks again!

1 Like